ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OEE Knowledge Base RAG

v1.0.0

Semantic knowledge base allowing ingest, search, and retrieval of saved texts, URLs, and files using embeddings and SQLite.

0· 711·0 current·0 all-time
by@odinbot33
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (ingest/search/retrieve using embeddings + SQLite) matches the code's behavior. However, SKILL.md explicitly requires ANTHROPIC_API_KEY or OPENAI_API_KEY for embeddings, yet the registry metadata lists no required env vars/primary credential. Also the code expects external binaries (yt-dlp, pdftotext) and Python packages (fitz/PyMuPDF) that are not declared in the metadata. These omissions are incoherent and should be clarified.
!
Instruction Scope
Runtime instructions and code fetch arbitrary URLs, download content, extract transcripts, and run subprocesses (yt-dlp, pdftotext, a python -c fallback that imports fitz). They create a local SQLite DB (kb.db) and write temporary files under /tmp. While this is consistent with a KB ingest tool, the instructions and code do not declare or warn about these external fetches/subprocesses or which environment variables are required, and they give the agent freedom to ingest arbitrary remote content — a review and stricter scoping are recommended.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded/installed by the installer. That's lower risk, but the code invokes external binaries (yt-dlp, pdftotext) and may require Python packages (fitz). The skill does not declare these requirements in SKILL.md or registry metadata.
!
Credentials
SKILL.md requires ANTHROPIC_API_KEY or OPENAI_API_KEY (and the code reads KB_EMBED_MODEL from env), which is proportionate for embedding calls. However the registry metadata claims 'Required env vars: none' and 'Primary credential: none' — an inconsistency. Requiring an LLM/embed API key is reasonable for this skill, but it must be declared and users should only supply keys with minimal scope and/or dedicated billing.
Persistence & Privilege
The skill does not request always:true nor modify other skills. It persists data to a local SQLite DB (kb.db) and writes temporary files under /tmp for processing; this is expected for a KB tool.
What to consider before installing
This skill appears to be a local RAG knowledge base and the code largely matches that purpose, but there are important inconsistencies you should resolve before installing or supplying API keys: - SKILL.md says you need ANTHROPIC_API_KEY or OPENAI_API_KEY but the registry metadata lists no required env vars — assume the code will attempt to call an embeddings API. Only provide a key you trust and ideally create a dedicated, limited-scope key for this purpose. - The code calls external binaries (yt-dlp for YouTube transcripts, pdftotext as a PDF fallback) and may rely on Python packages like PyMuPDF (fitz). These dependencies are not declared; if you run this skill, ensure those binaries/packages are installed from official sources. Running in a sandbox/container is recommended. - The skill fetches arbitrary URLs and runs subprocesses to extract content. This is expected for an ingest tool but means it will make outbound network requests and execute local binaries. Do not point it at sensitive internal URLs or supply credentials without reviewing the code. - The skill creates a local database (kb.db) in the skill directory and writes temporary files to /tmp; protect that file if it will contain sensitive data. If you plan to use this skill: inspect the full kb.py (the provided snippet was truncated), confirm where it sends network requests and which env vars it reads, install required binaries from trusted sources, and consider running it in an isolated environment. If you cannot verify those points, treat the skill as potentially risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nj8t2axwdx09ve9cjwgw55814d21
711downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
@odinbot33
latest
Download

🐾 Knowledge Base (RAG) — Your Second Brain

by Odin's Eye Enterprises — Ancient Wisdom. Modern Intelligence.

Save anything, recall it semantically. Personal RAG-powered knowledge base with SQLite + embeddings.

What It Does

  1. Ingest — Save text, URLs, files, notes into your knowledge base
  2. Query — Semantic search across everything you've saved
  3. Retrieve — Get relevant context for any question

Trigger Phrases

  • "remember this"
  • "save this to the knowledge base"
  • "what do I know about"
  • "search my notes"
  • "KB query"

Usage

# Ingest text
python ingest.py "The key insight from today's meeting was..."

# Ingest from a file
python ingest.py --file notes.md

# Query the knowledge base
python query.py "What did we discuss about pricing?"

# Full KB management
python kb.py stats
python kb.py search "topic"

Files

  • kb.py — core KB engine (embeddings, storage, retrieval)
  • ingest.py — CLI for adding content
  • query.py — CLI for searching
  • kb.db — SQLite database (auto-created)

Requirements

  • Python 3.10+
  • ANTHROPIC_API_KEY or OPENAI_API_KEY for embeddings

For Agents

Save context: python ingest.py "TEXT" Retrieve context: python query.py "QUESTION"

<!-- 🐾 Muninn never forgets -->

Comments

Loading comments...